[dns-operations] .Org DNSSEC key management policy feedback

George Barwood george.barwood at blueyonder.co.uk
Sun Jun 21 06:38:18 UTC 2009

I came across this page


and thought some discussion might be useful.

(1) A grammar nit: "A key rollover occurs when to change to the .ORG key pair is needed."

(2) "the public will need to update their validating resolvers with the new public portion of the .ORG zone key."

Surely not? Won't the .ORG DS record be published by IANA?
I notice this is not yet the case, but assume this is just for an initial testing period, in case ORG has to be unsigned
due to operational problems.

(3) The use of NSEC3 with a single iteration ( "to reduce client-side CPU requirements" ).

I'm not criticising this, but was slightly surprised.
I think "to reduce server-side CPU requirements" might be a better justification...


More information about the dns-operations mailing list